An Analysis of GhostR Threat Actor Group’s Data Breaches on Singaporean Companies

Executive Summary

The surge in data breaches across Asia, particularly by the threat actor GhostR, highlights the region's growing cybersecurity vulnerabilities. Singapore has been notably affected, with significant breaches impacting various sectors, including a major incident involving 128,000 customers of 12 licensed moneylenders. This breach, linked to the compromise of the third-party IT vendor Ezynetic, underscores the critical need for robust cybersecurity measures.

Overview of GhostR’s Activities

GhostR is a financially motivated threat actor known for extensive data breaches and criminal activities. Since 2023, they have expanded their operations from targeting government sectors to a broader range of industries, including healthcare, retail, and finance. GhostR demonstrates a sophisticated approach to criminal activities, focusing on significant data breaches and involving various sectors.  

The analysis shows a steady increase in GhostR’s cyber activities globally, with a total of 341 posts, reflecting their presence across various sectors and regions. Notably, GhostR’s operations in Singapore show a focused effort, with 70 posts indicating a heightened regional focus. The data highlights spikes in activity during November 2023 and May 2024, aligning with major cyber events and vulnerabilities. In Singapore, these activities were concentrated in April and May 2024, suggesting targeted efforts possibly linked to specific regional vulnerabilities. The spikes in activity during certain months demonstrate GhostR's strategic approach, involving targeted attacks, data leaks, and ransom demands. This pattern highlights the need for stronger cybersecurity measures in Singapore, as GhostR adapts to emerging threats and vulnerabilities, signalling a complex and evolving threat landscape.

Key Findings

GhostR operates under the aliases "GHOSTR" and "ghostr," actively posting on forums like BreachForums, XSS, and DarkForums. They also participate in other forums such as SecretForum. These platforms are used to distribute information, communicate with buyers, and negotiate the sale of stolen data. GhostR's use of multiple aliases and forums suggests a strategic effort to maintain anonymity and expand their influence in the cybercriminal community.

Key Observations and Analysis Decisions

We identified relevant posts and discussions involving GhostR and any activities related to Singapore by examining various forums. Our investigation included a thorough review of GhostR's presence on BreachForum, XSS, DarkForum, and SecretForums. We focused on data breaches linked to Singapore, observing a significant increase in GhostR's activities targeting the region starting in early 2023, following minimal activity from 2015 to 2022.

Conclusion

This report underscores the increasing cyber threat posed by GhostR, particularly in Singapore. Their activities, marked by extensive data breaches, reveal a disturbing trend in targeting diverse sectors, including healthcare, retail, and finance. GhostR's use of multiple aliases and forums for distributing stolen data highlights their strategic approach to maintaining anonymity and expanding their criminal reach. The data breaches highlighted in this report underscore the critical need for enhanced cybersecurity protocols to safeguard sensitive information and address the challenges posed by advanced threat actors such as GhostR.